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Abstract — Recent incidents of cybersecurity violations have 
revealed the importance of having firewalls and other intrusion 
detection systems to monitor traffic entering and leaving access 
networks. But the adoption of such security measures is often 
stymied by 'free-riding' effects and 'shortsightedness' among 
Internet service providers (ISPs). In this work, we develop an 
analytical framework that not only accounts for these issues 
but also incorporates technological factors, like asymmetries 
in the performance of bidirectional firewalls. Results on the 
equilibrium adoption and stability are presented, along with 
detailed analysis on several policy issues related to social 
welfare, price of anarchy, and price of shortsightedness. 

I. Introduction 

The growing incidents of information security breaches 
and attacks, presumably by both state (e.g., Stuxnet) and 
non-state actors (e.g.. Anonymous) on various Government, 
ISP (Internet Service Providers), and e-commerce networks 
have heightened the need for such institutions to adopt 
effective security measures. Cybersecurity has already been 
identified as "one of the most serious economic and national 
security threats" by the US Government in creating its 
Comprehensive National Cybersecurity Initiative (CNCI) [1]. 
Nevertheless, the practical problem of security adoption 
faces several technological (e.g., firewall performance re- 
quirements), economic (e.g., costs of protection), and policy 
(e.g., regulating social welfare) challenges. 

Our work addresses these issues in the context of adoption 
of asymmetric, bidirectional firewalls by autonomous sys- 
tems (e.g., ISPs) in the Internet. We calculate the equilibrium 
adoption level(s) and their stability in terms of the measur- 
able specifications of a firewall, and analyze how factors like 
shortsightedness in the adoption decisions of ISPs impact the 
overall security of such systems of interconnected networks. 

Our work provides insights for both policy guidelines and 
marketing of future firewalls, some of which are listed below: 

• In general, the equilibrium levels of adoption is not unique 
and depend on the initial seeding of the firewalls. However, 
for a given initial seeding, the equilibrium is unique and 
stable. 

• In the case of asymmetric bidirectional firewalls, perfor- 
mance improvements in identifying and blocking outgoing 
threats decreases the overall firewall adoption level in the 
system as a consequence of the free-riding phenomenon. 

• The (centralized) social optimum solution for firewall 
adoption results in each ISP having an individually higher 
utility compared to the decentralized equilibrium. 
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• The optimum regulation on the amount of protection on 
the outgoing traffic in the decentralized scenario is (rather 
counter-intuitively) providing no protection at all. This is 
while the optimum protection in the centralized scenario is 
providing protection on the outgoing traffic as high as the 
protection level on the incoming traffic. This result in turn 
suggests a need for regulation of both firewalls and ISPs. 

• It is possible that the shortsightedness of the ISPs can in 
fact help to improve the overall security of the network. We 
identify specific conditions under which shortsightedness 
in the decision-making of ISPs can helps/hurts the overall 
system security, by introducing the new (general) notion of 
price of shortsightedness. 

Related Literature: Research on network security adop- 
tion is closely related to three related topics: role of network 
externality, game-theoretic models for security, and epidemic 
diffusion. Previous works on the adoption of network tech- 
nologies [2], [3] have studied the role of network externality 
on the equilibrium outcome and diffusion dynamics. Epi- 
demiologists have studied free-riding's impact on vaccination 
strategies as some parents myopically choose not to vaccinate 
their children if the relative risks of contacting a disease 
given its current prevalence is less than the potential for 
damage from the vaccine [4]. Similar results were also 
reported using game-theoretic tools for modeling vaccination 
games [5]-[7]. In the context of network security adoption, 
game-theory has been used to analyze investments in network 
security [8], [9]. Others have proposed cyber-insurance as a 
complementary security mechanism [10]. 

Our work extends these contributions by (a) focusing on 
the question of ISP-wide adoption of security measures as 
opposed to individual user-level patching or cyberinsurance 
provisioning, (b) modeling and analyzing the performance 
of firewalls with asymmetric, bidirectional traffic monitoring 
capabilities. This distinction is particularly relevant from a 
policy perspective of whether a minimum performance is 
required for bidirectional firewalls, especially in view of 
the US Government's CNCI [1] policy of conducting "real- 
time inspection and threat-based decision-making on network 
traffic entering or leaving executive branch networks," and 
(c) explicitly deriving regulation constraints for managing 
the free-riding and shortsightedness of the ISPs. 

II. System Model 

An ISP provides a gateway that connects a subnet to 
the Internet. A firewall software installed by an ISP can 
monitor the incoming and outgoing traffic for blocking 
security breaches. Adoption of such security measures has 
a stand-alone benefit for an ISP. Moreover, it can slow down 
the rate of attacks and provides positive externality to the 



rest of the ISPs (adopters and non-adopters) by improving 
the overall security in the network. Namely, the nodes in 
other ISPs will be less likely to be targeted by an attack 
originating from the subnet of the protected ISPs. However, 
adoption of firewalls is not without cost: there can be a one 
purchase fee, as well as recurrent usage costs such as routine 
maintenance and updating, slower connection as a result of 
latencies introduced by traffic monitoring, /fl/.se positives and 
hence the occasional blocking of the legitimate traffic, etc. 
In what follows we provide a practical model that captures 
the key attributes for adoption dynamics of firewalls. Note 
that our goal is analyzing qualitative patterns and behavior 
of adoption. Hence, we make some technical assumptions 
along the way to keep the model analytically tractable. 

We consider a continuous -time model with A^ inter- 
connected ISP networks. Once an ISP purchases the firewall, 
it can un-adopt it by simply disabling the firewall. Subse- 
quent adoptions are performed by enabling the firewall, and 
in particular, do not entail paying the firewall's one time 
purchase fee. That is, the cost of adoption only includes the 
recurrent usage cost of the firewall for subsequent adoptions 
of an ISP that has purchased it. Hence, we need a model 
that distinguishes between the first adoption and subsequent 
re-adoptions. To do this, we stratify the ISPs into three 
types: (1) ISPs that have purchased and enabled the firewall; 
(2) ISPs that have not purchased it; and (3) ISPs that have 
purchased the firewall but have disabled it. Let the fraction 
of ISPs of each of the above types at time t be x{t), y{t) and 
\ — x{t)—y{t), respectively. The pair {y{t),x{t)) represents 
the adoption state of the network at time t. 

Each ISP independently updates its decision regarding the 
adoption of the firewall at independent random epochs that 
occur according to a Poisson processes with rate y. These 
are the epochs at which an ISP updates its measure of the 
adoption state of the network and accordingly re-evaluates 
its contingent utilities. Specifically, the decisions of the ISPs 
are assumed to be their best response to the current adoption 
state, that is, assuming the current level is not going to 
change. Let v,j(x) : [0,1] — > [0,1] be the probability with 
which a decision-making ISP switches from state / to j, 
where /,y e {n,e,d} represent the state of the ISP with 
respect to adoption. We set the convention that n indicates 
not purchased, e represents purchased and enabled, and d 
denotes purchased but disabled. Note that Vjj is a function of 
x{t) only (and not y{t)), since the ISPs that have not obtained 
the firewall and those that have disabled it are functionally 
similar regarding the protection against threats. For large A^, 
the dynamics of {y{t),x{t)) is close to the solution of the 
following ODE: 

y{t) = -Yy{t>ne{t) (1) 

X{t) = yy{t)Vne{t) + 7(1 -x{t)-y{t))Vde{t) - yx{t)Veci{t) 

The decision of the ISPs is determined by comparing the 
expected utilities given each decision. Accordingly, define 
Gij{x) for /, j e {n,e,d} to be the expected utility of an 
ISP if it changes its adoption state from / to j given the 
current fraction of ISPs with enabled firewalls is x. Simply 
put, Gne{x) is the expected utility of the ISP at its decision- 
making epoch if it purchases and enables the firewall, G„„(x) 



TABLE I 

Main notations in the model 



parameter definition 

A^ number of ISPs 

x(t) fraction of the ISPs at time t that have adopted and 

enabled the firewall 
y{t) fraction of the ISPs at time t that are yet to purchase 

Y rate at which each ISP updates its adoption decision 

Gij expected utility of an ISP if it chooses adoption status 

j given that its current adoption status is i 
Vjj the probability with which a decision-making ISP 

switches from adoption status ( to j 
P rate at which a new intrusion attempt is launched 

nj number of attackers in the network 

jj, rate at which a successful intrusion to a subnet is 

detected and blocked 
Co one time purchase fee of the firewall 

C per unit time usage cost of the firewall 

Cii instantaneous cost upon a successful intrusion 

C21 cost (loss/damage) per unit time of intrusion 



is its expected utility if it stays yet-to-purchase, and so on. 
Let Co denote the one-time purchase fee of the firewall. We 
note that G„g(x) and Gcie{x) differ only in the purchase fee 
of the firewall. Specifically, Gde{x) = G„e{x) +co. Therefore, 
for Co > 0, we have Gde{x) > Gne{x). Moreover, G„„{x) = 
Gen{x), as both utiUties are only associated with the expected 
cost of the intrusions, which is the same for an ISP with its 
firewall disabled, and an ISP that is yet to install it. Similarly, 
Gdd = Ged = G„n, and hence, without loss of generality and 
for brevity, we can define Gn '■= G„„ = Gen — Gdd = Ged- 
Along the same line of arguments, we define G^/ :— Gee = 
Gde and Ge '.^Gne- 

The introduction of Gn, Ge' and Ge leads to the following 
decision rules in ([TJ: If GE'{x{t)) ^ GE{x{t)), then Ved = 

lG£,W0)>G£(4r)) ™d Vde{x{t)) = 1 - V^,/(x(f )). If G£/(jc(0) = 

G£(x(f)), then the ISP is indifferent between enabling and 
disabling the firewall and hence Ved,Vde G [0)1]- Similar 
comments apply to v„e and vv„ . A list of our main notations 
is provided in Table [l] 

A. Finding the Equilibrium Points 

In order to obtain the equilibrium solutions (fixed points) 
of the adoption process as described by ([TJ, we need to derive 
the utility functions Gn{x), Ge{x), and Ge'{x). As mentioned 
before, Ge'{x) — Ge{x) +co. Hence, we focus on calculating 
Gn{x) and Ge{x). Along the way of calculations, some 
auxiliary symbols are defined to replace lengthy expressions. 
A list of the most important ones is provided in Table [III] for 
ease of access. 

Let c be the cost per unit time of using the firewall incurred 
by an adopter ISP due to maintenance, communication laten- 
cies, false positives, etc. Note that c differs from co, i.e. the 
single-time purchase fee to obtain the firewall. For simplicity 
of exposition, we consider security breaches that do not 
propagate in the network. For example, we will not consider 
attacks involving self-replicating malicious codes (known as 



TABLE II 

Success probabilities of an intrusion attempt 





Host's ISP 




Protected 


Not Protected 


Attacker's ISP 


Protected 


TTi 


Hi 


Not Protected 


TTq 


no 



worms) in this article. Hacking is a typical example of a non- 
replicating type of attack. We will refer to such attacks by the 
umbrella term of intrusion attempts. When a host in a subnet 
of an ISP is compromised, the ISP incurs an instantaneous 
cost of Cii and a per unit cost of C21 that persist as long as 
the host is infiltrated. The instantaneous cost may reflect the 
losses due to exposure of private information or manipulation 
of data, while the per unit time cost can represent the 
accumulation of eavesdropped data, accessing the network 
at the cost of the victim, slowdown of the victim's machine 
or the ISP's service, etc. The time it takes to remove the 
infection is according to an exponential random variable with 
rate jj.. Machines are again susceptible to future attacks, since 
new attacks are likely to exploit new techniques. 

Without prior knowledge, new security breaches can origi- 
nate from the subnet of any of the ISPs. We assume that ISPs 
are homogeneous, that is, they assign the same parameters 
for costs and have similar subnet sizes, furthermore, that a 
target of an intrusion is chosen uniformly randomly from the 
space of IP addresses. These along with the assumption of 
homogeneous sizes of the subnets, imply that the target is 
equally likely to belong to the subnet of any of the ISPs. 

The success probability of an intrusion attempt depends in 
part on the status of the ISPs of the attacker as well as the 
ISP of the target with regard to the adoption of the firewalllH 
Specifically, the highest chance of intrusion success is when 
neither of the ISPs have enabled the firewall, while the lowest 
likelihood is when both ISPs have (obtained and) enabled 
it. Based on the four different conditions for the adoption 
status of the ISPs of an attacker and its target, we define 
intrusion success probabilities TTo, Ti\, Hq and Hi according 
to Table [n] Namely, n\ is the success probability of intrusion 
if both ISPs have enabled firewalls in place, n\ is the success 
probability of an intrusion if only the target's ISP has adopted 
the firewall, and so forth. 

Without loss of generality, we let IIq = 1 and only consider 
the attempts that are successful in the absence of any firewall. 
However, we continue to use the notation Hq in our formu- 
lation for presentation purposes. In general, the following 
ordering holds for the intrusion success probabilities: 



0<7ri <7ro<ni <no< 1. 



That Ho is the largest of the group is obvious, as it is 
the probability of success of an intrusion if no firewall is 
set up on both ISPs of the attacker and target (hence the 
most exposed scenario), tiq < Hi, since the primary goal of 
the firewall is to protect the subnet against the incoming 
threats and hence, a marketable firewall provides no less 

'Note that intermediate routers do not monitor for threats and the only 
traffic monitoring for threats ai'e at border (edge) ISPs. 



protection against the incoming threats than against the 
outgoing threats. n\ < TZq, as ;ri is the success probability 
of an intrusion that has to bypass both firewalls of its own 
subnet's ISP and of the ISP of the victim's machine, while 
;co is the success probability of an intrusion that only has to 
bypass the firewall of the victim's ISP. 

For a firewall whose mechanism of intrusion prevention 
is only signature-based, if both firewalls have access to the 
same signature database then ;ri = TZq, that is, if an intrusion 
can successfully bypass one of the firewalls, it will be able 
to bypass the other one as well. We will refer to this case 
as the mutually inclusive scenario. However, it could be that 
one of the firewalls is more up-to-date than the other, hence it 
is likely that tti < ttq. Also, anomaly detection mechanisms 
are in essence probabilistic and they have a false negative 
chance. The past traffic history of the two ISPs differ, hence 
the blocking events of the two firewalls may not be exactly 
mutually inclusive. In case the intrusion prevention outcomes 
of the firewalls are mutually independent, for Ho = 1, we 
have ;ri — tzqTIi. Hence, we have the following additional 
structural inequality: 



0< TtoYIi < Tti. 



(2) 



New mechanisms are proposed in which the firewalls in 
different ISPs "co-operate" to improve their detection and 
blocking chances (e.g. [11]). In such cases, it is possible for 
TTi to be less than ttoHi. We, however, do not consider such 
cases in the current article. 

In our model, we assume that new intrusion attempts are 
initiated at a rate p after independent and exponentially 
distributed time intervals. Let «/ be the number of active at- 
tackers in the network, which we assume to be fixed. Hence, 
njp is the rate of all incidents of successful intrusion attempts 
when no firewall is present. Note that although estimating nj 
and p is difficult, njp/N can be readily estimated by each 
ISP, since it is the rate of successful intrusion attempts on a 
single ISP when the firewall is absent, and as we will see, 
that is indeed what appears in the expression for the utilities 
of each ISP. The rest of the parameters of the problem, such 
as Co, c, Cii, C21, etc., are also assumed to be publicly known. 

The utility of an ISP is a decreasing function of costs and 
losses due to potential future intrusions to its subnet. For ease 
of calculations, we assume risk-neutral ISPs. Hence, we can 
directly take the negative of the costs to be the ISPs' utility. 
Let <7(f ) represent the state of the decision-taking ISP with 
respect to the intrusion, that is, a{t) — 1/0 indicates that the 
ISP's subnet is intruded/not intruded at time t. Without loss 
of generality (achieved by shifting the time coordinate) we 
can let f = 0. Now, Gn can be computed as follows: 

Gn= Y. {GN\o{0) = i)V{aiO) = i}. (3) 

;g{o,i} 

Define: A:^ - {Gn \ Ct{Q) ^ I) , B := - {Gn \ Ct{Q) ^0) . 

In words, A {B) is the conditional expected cost of non- 
adoption given that a node in the subnet of the ISP is cur- 
rently intruded (not intruded). At a decision making epoch, 
the ISP may not be aware of an ongoing successful intrusion. 
As we stated before, a successful intrusion is detected, and 
then immediately blocked, after an exponentially random 



TABLE III 

Definition of the main auxiliary coefficients 



coefficient 
a 

n 

A 



definition 

(Ci/(r + Ai)+C2/)/r 

"^{Yl.x + Yloil-x)) 

nip 
K 



are two components, first one is the cost of adoption, that 

c 
is simply cq + -, and the other component is the cost of 

r 
intrusion, whose calculation follows the same steps as in 

Gn{x) except for accordingly changing the probabilities of 

successful intrusion. Hence, we can directly deduce: 



c A(7rix + 7Cb(l-x)) 

CrEix) = —CO a -— r- 

^ ' r fi+Ainix + Ttoil-x)) 



(10) 



delay with rate /i. To introduce a measure of the short- 
sightedness (or impatience) of the ISP, we use the discount 
factor r. higher values of r imply a greater degree of short- 
sightedness. Hence, we have: 



A straightforward yet important property of the expected 
utilities is that they are (both) increasing in the value of x: 

dG^ix) dGE{x) 
Lemma 2.1: For any x e [0, IJ we have: 



dGE'ix) 



dx 
> 0. The equality holds only if Hi = Hq. 



dx 





C21 



e-^'pLdt[ / e-"C2idT: + €-''' B 



piB 



(4) 



A=Cu- 

H+r fi + r 
On the other hand: 

B= [ P{ff(T)=0,0<T<f} — (nix + no(l-x))Ae-'"'c/f 
Jo A* 

^(nix + no(l -x))Ae-'''dt 
ri/p 



Let Tj 



A^ 



(nix + no(l-Jc)). Then: 



B = 



-7]V 



rje ''^Adv — 



n 



From (|4]) and (|5]l, we get: 



A = Cu 



M 



r + rj 
1 



(5) 



Hence, positive externality exists for both adopters and non- 
adopters. Moreover, the positive externalities vanish only 
when there is no protection against the outgoing threats. 

B. Multiplicity/Uniqueness and Stability of the Equilibrium 

We start this section with a lemma that we will use 
multiple times. 

Lemma 2.2: For non-cooperating firewalls (hence in- 
equality pi) and when Hi < Ho, D{x) := ——(Ge(x) — 

dx 
Gn{x)) < at any point x e [0, 1]. 

Note that this lemma also implies — {Gg' (x) — Gn{x)) < 

for any x G [0, 1], since Ge'{x) = Ge{x) +co. Also, for the 
case of Hi = Ho, we have TTi = TTo- This leads to D{x) = 
for all X. 

Proof: From (|9| and ( [TO] i we have: 

D{x)^—{GEix)~GN{x))=naAx (11) 



C21 



H+r r + n r + ri 



dx 



Cu 



/J+r 



1- 



(r+Ai)(r+T]) 



a{r + r]) 
r + n + T]' 



B 



ar\ 



{7Zq-K\) 



(Ho -Hi) 



r + jU+Tj 



(6) 



where a := {C\i{r + p.) + C21) / r (listed in Table [lll|). Now, ^^^^ ^r- _ \ 



since as we assumed the ISPs make their decision as a best 
response the current level of adoption assuming it will not 
change, the probability of being intruded or not intruded that 
they assign themselves comes from the stationary distribution 
associated with the current level of adoption. Hence, from 
renewal theory: 



[^+A{%yx+TtQ{i-x))Y [Ai+A(ni.=c+no(i-x))]^ 

Recall that without loss of generality, we can let Ho = 1 and 
hence, we have the inequality in (|2|, that is, KqII\ <K\ < ttq. 

: — r-r^ . Now, con- 

_p.+A{n\x + TZo{l-x))Y 
sider the following maximization problem: 



max(^(7ro,7ri) 



S.t. HiTTo < TTl < TTo < III 



[CT(1) = 1} = 



M 



^p(xni + (i-,x)no) 



[CT(0)=0} 



pni 



M 



+ , 



Ai + ^p(xni + (i-x)no) 77+^ 



(7) 
(8) 



For any fixed value of ttq, 0(7ro,7ri) is strictly decreasing in 
n\. Also, for any fixed value of n\, (j){no,7:i) is strictly in- 
creasing in tzq. Hence, the maximum of 0(;ro,7ri) is achieved 
at the extreme point of (11 1,!!;). Therefore, from ( [TT| i: 



£)<(i-ni){ 



n^ 

p.+Ani{Ylix+{l-x))f 



Take A := , which we refer to as the intensity of intrusion 

attempts. Combining (|3]l, (|6|, 0, ^ yields: 



[li+A{YIix+{l-x))Y 



Gn{x) =- 



a{r+r])r] arjji 

(r + Ai + Tj)(77+jLi) (r + jLi + 77)(77+^) 
arj A(nix + no(l-x)) 



(9) 



jLi + 77 ii+A(Uix + Uo{l~x)) 

Calculation of the Ge{x) is now straightforward: there 



Now, consider the function V/iy) = 7 ; ; tttt ■ 

'^^^' [lX+Ay{Uix + {l~x))Y 
This function is strictly increasing for y >Q. In particular, 

V/(ni) < v/(l) for III < 1. Referring to ( [TT] ), we have shown 

D(x) <Ofor all 0<x< 1. ■ 

Lemmas |2.1|and 2.2 have an important corollary: Ge{x) 



and Ge'{x) each can cross Gn{x) at most once in the interval 



of (0, 1). Recalling that for cq > Ge{x) < G£/(x), in the 
most general case, we can introduce ^ and i^' as following: 

3C& C', 0<C<C'<1, s.t. : 

'Gn{x) < Ge{x) < Ge'{x) for x e [0, Q 
Ge{x) < Gn{x) < Ge'{x) for ^e (CO 
Ge{x) < Ge'{x) < Gn{x) for x £ (C 1] 

The extension to other special cases is straightforwardr] 
Equilibrium points are derived by equating both x and y in ([ij 
to zero. y{t) = yields y* = or vqi — 0. Hence: 



x{t) ^0<^ 



[/ = & 7(1 -x*)vo/i - r-«*vio' = 

I v'oi = & 7(1 -X* -/)vo/i - yx*viQ, = 



This leads to: 

'/=0,x* = l,G£Kl)>Gw(l) 

y*^Q,X*^Q,GE'{Q)<GN{Q) 

y* = 0,x* ^ C' 
> Ge{x 



unacceptable 
unacceptable 



Gn{x 
Gn{x 



,x^+/ 



l,GE'{x*)>GMix*) 

^x*e(C,C'),/ = i-^* 

Gn{x*) 

^x* = C'ye[QA-C'] 
Gn{x*) > Ge{x*),Gn{x*) > Ge'{x*),x* = -(— unacceptable 



>GE{x*),GE'ix*)- 



In brief, the equilibrium point is not unique. First, note 
that any point {y*,x*) for x* e (CjC) ^"d y* = l—x* can 
be an equilibrium point. Also, (y*,x*) where x* = C,' and 
< y* < 1 — C can be equilibrium points. Which of these 
equilibrium points is eventually achieved depends on the 
initial condition that the system starts with. For instance, 
if x(0) = xq e (CC')' say by seeding the network by free 
samples, then those ISPs that do not have the firewall have 
no incentive to obtain it. Hence, in the equilibrium, y* = yo- 
Now, if yo > 1 — C'' then the ISPs that have the firewall 
will enable it until there is no ISP with a disabled firewall, 
and hence, x* = \ —yo. On the other hand, if yo < 1 ^ C'' 
then ISPs with firewall will progressively enable it until 
X* = C,' fraction of the ISPs have enabled their firewalls. 
Subsequent ISPs with the firewall have no incentive to enable 
theirs. A practically interesting case is when the system starts 
with no seeding, that is (yoi-^^o) = (1,0). In this case x{t) 
progressively rises to slightly above C, and then the system 
is locked into the point (0, 1 — C,^). For practical purposes, 
as long as the value of the equilibrium level is concerned, 
we can (and henceforth will) take {y* ,x*) — {\ ~ C,,!!,) as 
the equilibrium point for the case of (ycxo) — (1,0). In 
summary, we have the following theorem: 

Theorem 2.3: If firewalls do not cooperate, then an equi- 
librium point is not unique and depends on the initial value. 
However, for any given initial value, the equilibrium point 
is unique and stable. 

^For instance, in tlie trivial cases sucli as wlien Ge(x) > Gn(x) for all 
X e (0, 1) (sufficient to check if GeW > Gn{^)), then the equilibrium point 
of the system is the unique and stable point {y*,x*) = (0, 1). As another 
example, if Ggi (x) < Gn (x) for all AG (0,1) (sufficient to check if G^/ (0) < 
Gjv{0)) then the equilibrium point is trivially {y' ,x*) = {I — xq — yo,0). 
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Phase diagram for the case of c^>0 
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Fig. 1. A sample phase portrait for the ODE of (TJ. Region 1 is designated 
by x< ^, x+y < 1, where the ODE turns to y(tY= -yy(t), x{t) = yy(t] + 
7(1 -x{t) -y{t)); Region 2 is where ^ <x <t^',x+y< 1 and the ODE is 
y{t) = 0, x{t) = 7(1 -x{t)-y{t)); Region 3 is the region ^' <x, x+y < 1, 
where the ODE is transformed to y{t) = 0, x{t) = — 7x(f). All the points in 
the set of {^' ,y) for < y < 1 — f ' and (.v, l—x) for l^ < x < f compose 
the equilibria of the system. 



Fig. [T] depicts an example phase portrait for a case in 
which Co > 0. An implication of the theorem is that when 
firewalls do not cooperate, we do not have the phenomenon 
of tipping point (a.k.a. critical mass), as they are associated 
with unstable equilibrium points. For the rest of the paper, 
we assume that the system starts from {yo,xo) — (1,0). 
Moreover, without loss of generality, we assume that the 
equilibrium point is non-trivial. A corollary of this assump- 
tion and the assumption of starting from {yo,xo) — (1,0) is 
that at the equilibrium point {y*,x*) (which is (1 — CQ), 
we definitely have Ge{x*) - Gn{x*) = 0. 

C. The Effect of Hi and the Phenomenon of Free-Riding 

Here, we show that less protection on the outgoing traffic 
by the firewall (hence a larger Hi), leads to a higher 
equilibrium level of adoption. Equivalently, the more firewall 
provides protection against the outgoing threats, the less 
ISPs will be willing to adopt the firewall in the equilibrium. 
Intuitively, with lower ability of the firewall to block the 
outgoing threats, ISPs feel the need to block the incoming 
threats instead of free-riding on others' investmentspl 

Theorem 2.4: When firewalls do not cooperate, ^r— — > 0. 

oTIi 

From our discussion in ^II-B for {yo^xo) = 

Gn{x). 



Proof: 

(0, 1), X* is the solution of Ge{x) 



Define: 

<^{pi,P(^):=A + n{pix*+pQ{\-x*)). (12) 

Now, we can write Ge{x) ~ Gn{x) as: 



c + rcQ _ 

Cii{li + r)+C2i ^ 

-{IIix*+IIq{1-x*)) 



(/)(ni,n 



Q) 



(7rix* + 7ro(l-x*)) 

0(7ri,7Cb) 



(13) 



^There is a cautionary pitfall in this intuitive argument: one could argue 
that as more ISPs adopt the firewall, its efficacy increases and hence it 
becomes a more attractive service, leading to higher level of adoption. 
To counter this argument, the lower bound on Tl\ is necessary. That is, 
the improvement in the efficacy of the firewall is overwhelmed by the 
improvement in the efficacy of the firewall for non-adopters. 



We can take the partial derivative of both sides of ( [T3] l with 
respect to Hi: 

dx* 



0=-Dix*)- 
a dill 



llx' 



[ju+A(nix*+no(i-x*))]2 

From Lemma 2.2 in i II-B| we have D{x*) < 0. The statement 
of the theorem follows. ■ 

D. Pareto-Optimum Adoption and Price of Anarchy 

Here we investigate the scenario in which a social planner 
can impose the choice of adoption on ISPs, and attempts 
to maximize the aggregate expected utility. The optimization 
problem of such central planner is the to maximize the social 
utility as defined bellow: 



U{x) := xGe{x) + (1 -x)Gn{x) 



(14) 



We denote an optimum x by i, i.e. x E argmaxf/(x),0 < 
X < 1. If < i < 1, it must satisfy the following gradient 
condition: 



Ge{x)-Gn{x) + [. 



dGEix) 



For III < Iln, both 



dx 
dGEix) 
dx^ 



(1 



dGNix) 



0. 



and 



dGN{x) 



for all < jc < 1 accordmg to Lemma 2.1 
or i = 1, or Ge{x) 



are strictly positive 
Therefore, either 
Recall that x*, the 
satisfied 



X = 0, or i = 1, or Ge{x) — Gn{x) < 0, 

equilibrium point if ISPs could decide themselves 

the condition Ge{x*)~Gn{x*) = 0. Also recall that for 11 1 < 

Ho, Ge{x) — Gn{x) is a strictly decreasing function of x (by 

Lemma IZ2]). Hence we have the following result: 

Theorem 2.5: The socially optimum (planner-imposed) 
level of adoption, x, is always greater than the equilibrium 
level of adoption, x*. Moreover, when < x* < 1 and Hi < 
Ho, then x >x*. 

Theorem |2.5| has important corollaries: Each ISP enjoys a 
higher utility in the socially optimum fraction of adoption. 
This is because following Lemma 2.1 both Ge{x) and Gm{x) 
are increasing in x and according to the theorem, x > x*. 
Then a question may arise as to what prevents the ISPs from 
reaching this pareto-optimum level of adoption in which 
everybody is better off. It is because some ISPs are more 
better off than the others. Specifically, those ISPs that do not 
adopt would enjoy a higher utility than those who adopt it 
in the socially optimum solution. If the ISPs could freely 
decide, then they stop adopting once opting out starts to 
yield more utility, even though continuing to adopt will also 
increase their utility (but less than opting out would increase). 

The price of anarchy {PoA) is defined as the ratio of the 
optimum social utility over the social utility computed for the 
worst equilibrium. The price of stability (PoS) is defined in 
a similar way, with the difference that the worst equilibrium 
is replaced by the best equilibrium. As we showed in ^11- 
[B] for any given initial condition, the equilibrium point in 
our problem is unique, and hence, the price of anarchy and 
stability (given an initial value) are the same: 



PoA = PoS - 



xGe{x) + (1 -x)Gn{x) 



x*G£(x*) + (l-x*)Giv(x*) 

For Hi = Ho, that is, when there is no protection against the 
outgoing threats, the price of anarchy is unity. In the next 



section, we investigate the "best" choice of Hi if it could be 
imposed by a regulator. 

III. The Problem of a Regulator: Setting the 
Optimum Protection on Outgoing Traffic 

We hitherto assumed that the protection level on the 
outgoing traffic (and hence Hi) is a given parameter of 
the firewall. In general. Hi can be any value between IIq 
(no protection) and ttq (the same protection on the outgoing 
traffic as for the incoming traffic). Recall that lesser values 
of Hi correspond to more protection against the outgoing 
threats. Theoretically, developers of the firewalls can add 
protection on the outgoing traffic at least as much as the 
protection on the incoming traffic at no additional cost 
of production. In Theorem 12.41 in f|II-C| we showed that 

dx* 

- — < 0, therefore, the firewall developers have an incentive 

dJli 

to remove any protection against the outgoing threats to 

maximize their saleO 

The regulator can set a minimum requirement on the 

amount of protection against the outgoing threats relative 

to the protection provided against the incoming threats by 

any firewall. In the language of our model, there can be a 

maximum value imposed on Hi relative to Uq. The firewall 

developers will then choose to produce firewalls with this 

highest value of Hi, as following Theorem |2.4[ this will lead 

to the largest sales for them. A natural idea seems to put the 

bound on Hi to be equal to tzq as it corresponds to the highest 

protection against the outgoing as well as the incoming 

threats. However, as we showed in Theorem |2.4| this will 

lead to free-riding among the ISPs and a low equilibrium 

level of adoption, hence potentially a less secure network. On 

the other hand, if the bar on Hi is YIq, then the highest level 

of adoption is achieved but the amount of protection against 

the outgoing threats is the weakest (nonexistent). Hence, a 

choice of the "best" Hi is a non-trivial question and depends 

on the metric and the perspective used. In what follows, we 

consider some of these different metrics. 

A. View 1: Decentralized Social Optimum 

Let us define a solution of the following optimization for 
Hi, a decentralized social optimum Y\\: 

Yl\ e arg max Uix*) 
;to<ni<no 

where U{x*) ^x*Ge{x*) + (1 -x*)GAr(x*), is the social util- 
ity of the ISPs. We use the phrase decentralized to emphasize 
that ISPs are allowed to freely choose their individual best 
decision of adoption, and the system is accordingly at the 
equilibrium value x*. Assuming < x* < 1, x* satisfies 
Gn{x*) — Ge{x*). Hence, the above optimization is trans- 
formed to: 



Hi G arg max Ge{x*), 
7io<ni<no 



or equivalently 



Hi earg 



I max Ge{x) s.t. Ge{x) — Gi^{x)=Q (15) 

;ro<ni<no 



'^It is assumed that the firewall developers make (a small amount of) profit 
on each copy of the firewall sold. 



The above optimization is non-convex (due to the nonlinear 
equaUty constraint). Nevertheless, we can observe the fol- 
lowing theorem without solving the optimization. 

Theorem 3.1: In non-cooperative firewalls, for the case 
of TTi = TZq (i.e., mutually inclusive firewalls), any Hi is a 
decentralized social optimum. 

In words, if the ISPs are allowed to individually take their 
adoption decisions, then the optimum value of the social 
utility is not affected by the level of protection imposed 
on the outgoing traffic. Now, initially this might come as a 
surprise; after all, the value of jc* does change with changing 
Hi . The proof of the theorem reveals why this does not affect 
the value of social utility. Intuitively, it is because as Hi is 
decreased, the protection provided by the firewall improves, 
however, a smaller fraction of the ISPs end up adopting the 
firewall. The aggregate impact is that the overall utility in 
the network stays unaffected. 

Proof: In ( [T5| l, for ;ro = TTi, Ge{x) does not depend on 
either jc or Hi. ■ 

The proof may suggest that the above observation may 
only hold for the case of TZi = TTi, i.e. mutually exclusive 
scenario. Recall that this is case in which the blocking 
outcome of the firewalls of the intruder and of the victim are 
the same, that if if an intrusion can bypass one, it can bypass 
the other as well. Further investigation, however, reveals that 
in fact, this result can be generalized to other scenarios too: 

Theorem 3.2: In non-cooperative firewalls, for any case 
of TTi = UqIIi + a(7C{) — T^orii) for an a e [0, 1], any IIi is 
decentralized-socially optimum. 

Note that for a = we have the case in which the blocking 
outcomes of the two firewalls are independent of each other, 
and for a — I, the mutual inclusive case as in Theorem ) 3. 1| 

dGi(x*) 

Proof: We need to show = 0. A change in 

fllli 
Hi affects the utility at the equilibrium both directly (depen- 
dence of Gn, Ge on Hi) and indirectly through changing the 
equilibrium level x*. Hence: 

dGiix*) dGi{x*) dGi{x*) dx* 



dUi 



dn. 



dn. 



(16) 



We have: 

dGi{x*) 

dUi 
dGojx*) 

dUi 
dGi{x*) 

dx* 
dGojx*) ^ 

dx* 

To calculate 
can deduce: 



--I1X* (A+ju (ni,Y* +no(i -~x*)))-^ 

--{^x*^nA + ^{n,x* + Ko{l-x*)))-' 
---{Uo-Ui)x*{A + ^{UiX*+Uoil-x*))) 

---{no- ni)x* (A + ;U (7ri.x* + 7ib(l -x*))y 

dx* 
dU, 



-2 



-, we note that from Gi{x*) — Go(x*) we 



dGijx*) dGijx*) dx* dGojx 
dUi ^ dx* 



dx* 
dfh 



dUi dUi dx* 



dGojx*) dx* 

X 



dU, 



3Giix*) 



dx* 



Referring to the definition of (j)jpi,po) in ( fTS] ), and replacing 
the terms in ( [T6| ), we obtain: 



dGijx*) 
dU, 



<j)jUi,Uo)-'-x 
flx*-fijUo-Ui) 



M0(ni,no)-2- 
M0(ni,no)-2 



(no-no 

fil^x^jnuno)-^ 
H^-^H^uno)-^ 



= 



The last equality follows because for Tti = TZoYli +a(7ro- 

dni TTo-TTi 

TToIlij, we have 



dUi Uo-Ui 



Theorems |3.1| |3.2| establish that if ISPs freely take their 
adoption decisions, then the social optimum utility is not 
affected by the level of protection on the outgoing traffic. 
Hence, it is interesting to investigate other metrics of opti- 
mality for Hi, as we do next. 

B. View 2: Decentralized Individual Optimum 

For individuals adopting the firewall, a decentralized op- 
timum Hi is given by: Yli G argmaX;j^,<ni<noG£(.JC*). For 
individuals who opt out, an optimum Hi is provided by: 
Hi e argmax^Q<ni<no GnJx*). Since at equilibrium, we have 
GnJx*) = GeJx*), solutions of the above two optimizations 
are the same; and are further equal to the solution of the 
social optimum utility as was shown in ([TSj. Hence, a de- 
centralized social optimum value of Hi, is also decentralized 
individual optimum for all ISPs. Moreover, Theorem 3.2 
applies to the decentralized individual optimum Hi as well. 

C. View 3: Decentralized Security Optimum 

Since, both decentralized social and decentralized individ- 
ual utilities are unaffected by the value of Hi, we define 
a new metric of practical interest. One can consider only 
the cost of the intrusions in the network to be the metric of 
optimality. Accordingly, we define the security utility Vjx) 
to be the negative of the expected aggregate damage incurred 
on the network as a result of the intrusions if the adoption 
decisions are taken in a decentralized manner by the ISPs. 
Note specifically that Vjx) does not include the costs of the 
adoption of the firewall. In our problem, Vjx) is as follows: 



VJx)=x{GeJx) + ^ +co) + (1 -x)GnJx) 



(17) 



It is easy to see that Vjx) is increasing in x. Hence, in the 
light of Theorem [ZS] Vjx) >Vjx*). That is, the socially 
optimum level of adoption not only provides a better aggre- 
gate expected utility (by construction), it also provides better 
overall network security, compared to the equilibrium level 
of adoption. If we were to centrally maximize Vjx), then the 
optimum choice for x (denoted by x) would be i = 1 . Note 
that the adopters in this case win a still higher utility than 
the adopters even in the socially optimum scenario. However, 
this is achieved at the cost of lower utility realization for the 
non-adopters in the socially optimum choice of x (hence its 
achieved aggregate expected utility is lower). 

Now, as we did in the previous two subsections, we define 
a decentralized security optimum Hi to be a solution of the 



following optimization problem: maX;jg<n,<no^(-*^*)- The 
socially optimum Hi is provided by the following theorem: 

Theorem 3.3: In non-cooperative firewalls, Hi = Ho is 
decentralized security optimum choice for Hi. 

Recall that Hi — T[q{— 1) translates to the provision of no 
protection on the outgoing traffic. 



Proof: From Theorem 3.2 changing Hi does not affect 
the value of U{x*). From the definition of V{x) in ^TT) , 
we have: V(x*) — U{x*) +x*{c/r + co)- Hence, a Hi that 
maximizes V(x*) must maximize x*{c/r + C(j). For any non- 
trivial firewall, we have c/r + cq > 0. From Theorem 2.4 
higher x* is achieved by increasing Hi. Therefore, Hi 
maximizes x*, and hence V{x*). 



Ho 



Theorem 3.3 is in fact a negative result: the highest security 
utility in the decentralized case is achieved if the regulator 
requires no protection on the outgoing traffic. Next, we 
discuss how this reveals a significant inefficiency. 

D. Centralized Optimum 

We can consider the optimum centralized version of each 
of the previous three viewpoints: social, individual and 
security. For a centralized optimizer, the choice of variables 
X* and Hi are decoupled. For any Hi < Hq, we have 
dGN{x) dGsix) ^^ ^,_ ^„..„„,_ .„„u„,.„ -^GnW 



, > 0. Also, for any x, we have 

ax ax aJli 



<0, 



< 0. Hence, the centralized optimum value of Hi 



dGnix 

dill 

that simultaneously maximizes U{x), V{x), Ge{x), Gn{x) is 
ni.min. i-S-^ maximum protection on the outgoing traffic. Note 
that this is despite potentially different centrally optimum x 
for each of these optimizations. For instance, the pair (Hi ,x) 
that maximizes the social utility is (riimini-^)- while the pair 
{Tli,x) that maximizes the security utility is (Hifnin,!), and 
it is possible to have i < 1 . 

In the decentralized scenario, i.e. when ISPs are free to 
adopt or not, maximum security utility is achieved at the cost 
of eliminating the protection against the outgoing threats, as 
the values of x* and Hi were coupled. This suggests that 
a regulation on only firewalls is inefficient, and an efficient 
regulation should be on both firewalls and ISPs. 

IV. The Price of Shortsightedness 

A. The Effect of the Discount Factor on the Equilibrium 

We showed in §II-B that when the market is not seeded, 
i.e. (yo,-^o) = (IjO), the equilibrium fraction of the nodes 
that adopt and enable the firewall is (practically) equal to 
C,, which is the solution of Ge{x) = Gn{x), noting that 
Ge{x) includes negative of the purchase fee, -co, as well. 
Recall the definition of as in ( [T2] l, that is ^{pi,p2) := 
IJ.+A{pix + po{l — x)). Taking the partial derivative of both 
sides of the equation Ge{x) = Gn{x) w.rt. r leads to: 



Co{Cul^+C2l)-cCu 

[Ci/(M+r)+C2/]2 


=ma 


■(tto-tti) 


(Ho-ni)- 

0(ni,no)2j 


dx* 
dr 

• 



E{x 



In order to determine the sign of ^r— , we investigate the sign 

dr 
of its coefficient, denoted by E{x*). From ([TT]) it follows that 



E{x*) =D{x*)/a. From Lemma [zl] D{x*) < 0. Hence, we 
have the following result: 

dx* 



Theorem 4.1: sgn 



: sgn(cCi/ - co(Ci/^ +C2/)). 



Consider the extreme case of /i = 0, that is, a successful 
intrusion is never detected. According to the theorem, in this 

Co C\i dx* 

case, if — < — , then ^r— > 0. That is, if the ratio of the 

c C21 or 

purchase fee to the (per unit time) usage cost of the firewall 

is less than the ratio of instantaneous cost to per unit cost 

of the infection, then more shortsightedness leads to higher 

equilibrium levels of adoption. Intuitively, it is because ISPs 

tend to see the more immediate effects more clearly (i.e., 

weigh them more). Hence in this case, where the firewall 

carries a lower weight of instantaneous cost relative to per 

unit cost than the infection does, the firewall becomes a more 

attractive service as ISPs become more shortsighted. 

B. Measuring the Price of Shortsightedness 

We introduce a measure of inefficiency as a result of the 
ISPs being shortsighted in their decision taking, that is, the 
effect of discounting future events and hence having a bias 
toward near future outcomes. To make this formal, we first 
discuss the notion of a reference discount factor ro. The 
expected utility associated to an achieved equilibrium can 
be measured using a potentially different discount factor 
from the one used by ISPs in their calculation of individual 
utilities. We have used r to denote the discount factor used by 
ISPs. We will use x*{r) to represent the achieved equilibrium 
level of adoption to emphasize the dependence of x* on the 
discount factor of the ISPs. Let ro be the discount factor 
used by a referee. For instance, GE{x*{r),rQ) is the expected 
ro-discounted utility of adopters in an equilibrium level x* 
where the ISPs' discount factor is r. 

We can now formally define the Price of (temporal) Short- 
sightedness. The Social Price of Shortsightedness (SoPoSh) 
is defined as follows: 

SoPoShir) := Um ^(li"^;^of ^);^o) 

Note the dependence of SPoSh on r. Also, since we showed 
x*{r) is unique, there is no ambiguity between the choices 
of equilibria. Similarly, we can define the Security Price of 
Shortsightedness SePoSh{r) as ^ . ,/\ ^''^^^ ■ 

Following its definition, higher prices of shortsightedness 
means that from the referee's viewpoint, shortsightedness of 
the decision-takers leads to inefficiency. As r approaches 0, 
these prices of shortsightedness approaches one. However, 
unlike Price of Anarchy and Stability, there is no general rule 
that the prices of shortsightedness is always less (or greater) 
than unity. That is, depending on the parameters of the 
problem, it might be "beneficial" to have less or more short- 
sighted decision-takers. This has interesting policy-making 
implications. In general, we have the following theorem: 

Theorem 4.2: For all r, both SoPosh{r) and SePoSh{r) 
are: (a) greater than one if cCy > co(Ci/jU +C21)', (b) less 
than one if cCu < co(Ci//X +C2/); (c) equal to one if cCu = 

Co{Culi+C2l). 

Proof: We present the proof for SoPoSh{r); 
the proof for SePoSh{r) follows similarly. If 



dU{x*{r),rQ) 



d 



r 



< 0, then SoPoSh{r) > 1, and 



We have: ^^^^^^^^'^Q^ = dU{x*{r),r,) ^ dx*{r) ^ 
Uix*{r),ro) ^x*ir)GE{x*{r),ro) + (1 -x*[r))GN{x*ir)'ro), 
hence: ^^^V/'^ = [G£(x*(r),ro) - G^(x*(r),ro)] + 
^ dGEix*{r)r,) _^ dG,{x*irUo) ^^^ ^^^^ 

^ ' dx*{r) ^ ^ " dx*{r) 



term is positive as a consequence of Lemma 2.2 Note that 



in the proof of Lemma 2.2 the specific value of r was 



irrelevant. The second and third terms are also positive (at 
least one of them strictly positive), as for any ro, we have 

(9GAr(x,ro) dGE{x,rQ) r^. ,, e ^^ e 

;; , ;; > 0. The theorcm now follows from 

ax I , ax 

Theorem 14.11 ■ 

V. Conclusion 

We present a new analytical model for the adoption of 
security measures by autonomous systems, particularly in the 
context of asymmetric, bidirectional firewalls. Our analysis 
provides insights into equilibrium and stability of adoption 
levels as well as policy perspectives on socially optimal 
outcomes, price of anarchy, and price of shortsightedness. 
We highlight several interesting results, including the de- 
pendence of the equilibrium adoption on the initial seeding, 
how performance improvements in blocking outgoing threats 
can decrease the overall firewall adoption due to free-riding, 
that socially optimal solution increases every ISP's utility, 
and that shortsightedness of ISPs may sometimes help in the 
overall network to become more secure. In the future, we 
intend to extend this analytical model to explore the effects of 
heterogeneities in the ISPs (their shortsightedness, costs and 
subnet sizes) on the adoption process and seeding strategies. 
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